Applying The Principles of The Quantified Self to ​Cloud Security

I like the ideas behind quantified self. This has not driven me to purchase an Apple Watch, but I am now on my second fitbit. I also use MyFitnessPal, RunKeeper, Mint, and Jenkins. These services provide low-friction visibility to otherwise obscured aspects of my life. The first step to self-improvement is to “know thyself.”

Quantified self introduces an aspect of continuous monitoring to my life. I could view snapshots into my health every year at my physical or just kind of eyeball my health based on looking in the mirror, but neither of those provides the visibility to optimize my health. And auditing my finances every year at tax time is better than nothing, but that by itself will not lead to wealth.

Continuous monitoring significantly increases the level of meaningful tuning that may occur. We have freedom to respond when we get some feedback, but responding again without additional feedback amounts to guesswork. A steady stream of information means a steady stream of meaningful decision points.

Finer grained tuning allows for addressing issues more quickly. Consider the MountErebus plane crash of 1979. Someone had modified the flight coordinates of the jet by only two degrees. They did not correct the problem because they did not discover the deviation. The flight ended with the death of all on board as it hit the side of an active volcano, 28 miles from where the pilots thought they were. Not only would discovery of the issue have saved the lives of those on the plane, earlier discovery would have required a less significant correction.

Bringing that morbid example back to quantified self, consider setting a weight loss goal. I can determine a plan and then execute the plan for six months. Hitting my goal at that point would be great, but then I wouldn’t really know how to adjust for the next epoch. If I didn’t hit my goal, I may not know why. More importantly, wouldn’t I want to know I’m going to miss it as early as possible so that I can adjust my course and still get where I want to go?

This discussion of visibility and quantified self ties back to digital security. The first step to improving our digital defenses is to understand the theatre of action. That does not just mean monitoring the borders or the event signals intelligence, but everything. A complete picture. This also needs to be a continually updating image. Companies take an average of sevenmonths to detect breaches. This makes me think that they are following the yearly checkup model to one extent or another.

The typical attack works to establish a beachhead on your assets that it can use to then move laterally. The chain of establishing this point of entry and then leveraging it still takes some time and can be detected and tuned out along any given link. Plus, any amount of increased visibility can highlight potential blind spots.

Consider what a bad actor can do in the few months before detection. While we would like to prevent any action at all, reacting more quickly can result in less damage. Whether that’s less stolenintellectual property, fewer private records leaked, or a reduction in digital damage (think: cryptolocker, each incident does not have to result in a catastrophic crash on the side of an Antarctic mountain.

Root cause and forensic analysis become feasible under greater visibility. A periodic scan lets behavior run rampant between scans. Logging often has to be reduced to prevent dramatically affecting system performance. The sooner a malevolent action gets caught, the smaller the haystack through which we have to search. The longer an action goes undetected, the more weeds we have to pick through to find the culprit.

We want security systems that provide for continuous monitoring of our assets. That allows us to finely tune our security stance. It also allows us to more quickly respond to issues, making any incidents that do occur less severe. The saying goes that “when performance is measured, performance improves.” Anyone looking at the headlines today knows that the performance of security needs to improve.

Nathan Cooprider is a Senior Software Engineer working on the Threat Stack instance agent. Nathan comes to Threat Stack from the endpoint engineering team of Bit9 + Carbon Black. Prior to Bit9, Nathan led the signal processing software team for the MQ9 Predator drone at BAE. He received his BS in CS from Brigham Young University and his PhD in CS from the University of Utah. Nathan has over a decade of experience working with computer systems. This includes eight refereed publications on the static analysis of microcontroller applications written in C. He also wrote a paper on multivariate data visualization, co-authored a paper on multiple hypothesis tracking, and has supported language modeling research. Nathan's accumulated experience with various software engineering languages and tools includes C, C++, python, doxygen, Jenkins, OCaml, CIL, cmake, and many others.